Query Privilege Migration

This page provides detailed procedures for migrating ACL-based query privileges in 3.x to object-based privileges in 4.1+. It also outlines the specific privileges required to successfully carry out the migration process.

To see Role-based Access Control(RBAC) Object-Based privileges, see user-access:rbac-row-policy/rbac-row-policy.adoc#_object_based_privileges.

Migrate ACL Privileges

Starting with TigerGraph 4.1, Access Control Lists (ACLs) are no longer available.

Query ACL privileges should be migrated automatically during upgrade.

Migrate Query ACL Owner

The query ACL owner will be granted OWNERSHIP privilege on the query owned by this user/role after upgrade.

Migrate Query ACL Reader

The query ACL readers will be granted READ privilege on the same query after upgrade.

Migrate Query ACL Executor

The query ACL executors will be granted EXECUTE privilege on the same query after upgrade.

In some cases, query ACL privileges can’t be migrated successfully. Then the owner of queries will become the user who operates the upgrade procedure.

Contact TigerGraph Support if you need help retaining ACL-like privileges after upgrading from version 3.x to 4.x.

Migrate Role-based Access Control(RBAC) Object-Based Query Privileges

Query Object-Based privileges are introduced in TigerGraph 4.1. CREATE privilege on queries will exist only at the global and local graph scope. Other query privileges, including READ, UPDATE, DROP, INSTALL, EXECUTE and OWNERSHIP, will exist only at the query scope.

All existing Query privileges will be migrated into Query Object-Based privileges during upgrade and be fully backwards-compatible with existing queries.

Changes for Built-in roles

READ_QUERY and WRITE_QUERY privileges will be removed from all built-in roles. The roles held WRITE_QUERY privilege before 4.1 will hold CREATE_QUERY privilege in the same scope since 4.1. superuser will be the owner of all queries. admin in one graph will be the owner of all queries in a local graph.

To check the detailed changes for all built-in roles, please check the following table.

Name Global or Local Removed Privilege New Privileges

Name	Global or Local	Removed Privilege	New Privileges
`observer`	Local	`READ_QUERY`	N/A
`queryreader`	Local	`READ_QUERY`	N/A
`querywriter`	Local	`WRITE_QUERY`	`CREATE_QUERY`
`designer`	Local	`WRITE_QUERY`	`CREATE_QUERY`
`admin`	Local	`WRITE_QUERY`	`CREATE_QUERY`, `OWNERSHIP` on ALL QUERIES
`globaldesigner`	Global	`WRITE_QUERY`	`CREATE_QUERY`
`superuser`	Global	`WRITE_QUERY`	`CREATE_QUERY`, `OWNERSHIP` on ALL QUERIES

observer

Local

READ_QUERY

N/A

queryreader

Local

READ_QUERY

N/A

querywriter

Local

WRITE_QUERY

CREATE_QUERY

designer

Local

WRITE_QUERY

CREATE_QUERY

admin

Local

WRITE_QUERY

CREATE_QUERY, OWNERSHIP on ALL QUERIES

globaldesigner

Global

WRITE_QUERY

CREATE_QUERY

superuser

Global

WRITE_QUERY

CREATE_QUERY, OWNERSHIP on ALL QUERIES

Migrate RBAC READ_QUERY privilege

READ_QUERY privilege will be migrated to READ_QUERY privilege on the query object level for all existing queries since we only keep query-level READ_QUERY privilege for all queries.

This migration process may be different for existing READ_QUERY privileges granted to built-in roles vs. user-defined roles.

Migrate RBAC READ_QUERY privilege for Built-in roles

The READ_QUERY privilege in global and graph level scopes for built-in roles is deprecated in TigerGraph 4.1. For the detailed changes of built-in roles, please refer to the table above.

If users were granted built-in roles with READ_QUERY privileges before upgrade, the READ_QUERY privileges will be granted to the users directly with all existing queries in the same scope.

For example:

User Alice is granted with the built-in role observer in graph recommend in TigerGraph 3.10, and there are two queries query1 and query2 in graph recommend. After the upgrade to TigerGraph 4.1, user Alice will have the READ_QUERY privileges on queries query1 and query2 in graph recommend.

Migrate RBAC READ_QUERY privilege for User-Defined roles

If users were granted user-defined roles with READ_QUERY privileges before upgrade, the READ_QUERY privileges will be granted to the same role with all existing queries in the same scope.

For example:

User Bob was granted the user-defined role myRole with READ_QUERY privilege in graph recommend in TigerGraph 3.10, and there are two queries query1 and query2 in graph recommend. After the upgrade to TigerGraph 4.1, role myRole will have the READ_QUERY privileges on query query1 and query2 in graph recommend. User Bob can still read queries query1 and query2 since he is still granted the role myRole.

Migrate RBAC WRITE_QUERY privilege

Prior to TigerGraph 4.1, WRITE_QUERY privilege permited making any type of change to a query. Hence, WRITE_QUERY privilege will be migrated to all privileges except OWNERSHIP for all existing queries, including READ_QUERY, UPDATE_QUERY, DROP_QUERY, INSTALL_QUERY, EXECUTE_QUERY on each query object and CREATE_QUERY on the same scope for WRITE_QUERY privilege.

Similarly, this migration process differs for WRITE_QUERY privileges when users are granted built-in roles vs. user-defined roles.

Migrate RBAC WRITE_QUERY privilege for Built-in roles

The WRITE_QUERY privilege is deprecated in TigerGraph 4.1. For the detailed changes of built-in roles, please refer to the table above.

If users were granted built-in roles with WRITE_QUERY privileges before upgrade, the following privileges, READ_QUERY, UPDATE_QUERY, DROP_QUERY, INSTALL_QUERY, EXECUTE_QUERY, will be granted to the users directly with all existing queries in the same scope.

For example:

User Alice was granted the built-in role designer in graph recommend in TigerGraph 3.10, and there are two queries query1 and query2 in graph recommend. After the upgrade to TigerGraph 4.1, user Alice will hold the READ_QUERY, UPDATE_QUERY, DROP_QUERY, INSTALL_QUERY, EXECUTE_QUERY privileges on queries query1 and query2 in graph recommend. At the same time, user Alice can still create queries in graph recommend since she still holds the role designer in graph recommend, which provides the CREATE_QUERY privilege in graph recommend.

Migrate RBAC WRITE_QUERY privilege for User-Defined roles

The WRITE_QUERY privilege in global and graph level scopes for user-defined roles is deprecated in TigerGraph 4.1.

If users were granted user-defined roles with WRITE_QUERY privileges before upgrade, the following privileges READ_QUERY, UPDATE_QUERY, DROP_QUERY, INSTALL_QUERY, EXECUTE_QUERY, will all be granted to the same role with all existing queries in the same scope. At the same time, CREATE_QUERY privilege on the same scope will be granted to the same role in the same scope.

For example:

User Bob was granted with the user-defined role myRole with WRITE_QUERY in graph recommend in TigerGraph 3.10, and there are two queries, query1 and query2 in graph recommend. After the upgrade to TigerGraph 4.1, role myRole will have the CREATE_QUERY privilege in graph recommend, and READ_QUERY, UPDATE_QUERY, DROP_QUERY, INSTALL_QUERY, EXECUTE_QUERY privileges on query query1 and query2 in graph recommend. User Bob can still create queries in graph recommend, and read, update, drop, install and execute existing queries query1 and query2 since he is still granted the role myRole.